When my site's traffic started to ramp up, I want to secure the configuration a bit and prevent outsiders from the Internet from accessing my ghost admin page if they are not in the internal network.

This can be easily done by ingress-nginx without meddling with the theme or codes of Ghost.

You can simply modify the Ingress configuration by either using Kubernetes Dashboard, or by hand ending via:

kubectl edit ingress <example-com>

And add the following HTTP snippet into the annotation part of the configuration:

nginx.ingress.kubernetes.io/configuration-snippet: >
      location /ghost/ {
        deny all;
        return 403;
      }
Make sure the location is /ghost/ with the slash on both side.

Once saved, kubectl will verify the configuration and make it effective immediately.

And you'll get a 403 from NGINX like below:

Access denied from the Internet.

The URL can still be accessible via the internal network, if you

  • Configure another secret Ingress for ghost admin.
  • Secure it using another annotation for a second ingress with a different URL:
annotations:
  nginx.ingress.kubernetes.io/whitelist-source-range: <your internal subnet range>
Restricting access of a secondary ingress for Ghost
  • Add a Ghost admin URL by modifying the ghost deployment like below:
        env:
        - name: admin__url
          value: "https://securecname.example.com"
This can be modified via kubectl edit deployment <ghost deployment name>
  • Finally, in order for the whitelist for ingress-nginx to work, you will need to modify the externalTrafficPolicy for the ingress-nginx-controller service to Local by:
specs:
  externalTrafficPolicy: Local
Modify this via kubectl edit svc ingress-nginx-controller -n ingress-nginx

And now you can access your admin console if you:

  1. access the admin URL by https://securecname.example.com/ghost/, and
  2. are within the whitelist network that you have specified.